University of Washington Medicine has agreed to settle for $750,000 following a 2013 data breach that exposed the health information of 90,000 patients.
The steady stream of such settlements illustrates HHS' concern over providers' compliance with the security provisions of the Health Insurance Portability and Accountability Act, experts say. HHS' Office for Civil Rights said this newest settlement demonstrates the need for organization-wide risk analyses. The settlement also calls on UWM to provide documentation showing a structural reorganization of its compliance program.
The breach occurred after a UWM employee downloaded an e-mail attachment that contained malware. The malware compromised the organization's information technology system, exposing patients' names, medical record numbers, charges, and in some cases, addresses, phone numbers, birth dates, Social Security numbers and insurance identification or Medicare numbers.
Under HIPAA, covered entities and their affiliated covered entities must have certain policies and processes to protect patient data. The OCR found in its investigation that UWM did not ensure that all of its affiliates were properly conducting risk assessments and appropriately responding to potential risks.
A failure to hold affiliates accountable for implementing organization-wide policies and procedures has been a theme in a number of settlements between HHS and the Office of Civil Rights, said David Holtzman, a former OCR official and a current vice president of compliance at consulting firm CynergisTek.